<!DOCTYPE html><html lang="zh-CN" data-theme="light"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width,initial-scale=1"><title>Danyhug's Blog</title><meta name="author" content="Danyhug"><meta name="copyright" content="Danyhug"><meta name="format-detection" content="telephone=no"><meta name="theme-color" content="#ffffff"><meta http-equiv="Cache-Control" content="no-transform"><meta http-equiv="Cache-Control" content="no-siteapp"><meta property="og:type" content="website">
<meta property="og:title" content="Danyhug&#39;s Blog">
<meta property="og:url" content="http://danyhug.gitee.io/blog/page/3/index.html">
<meta property="og:site_name" content="Danyhug&#39;s Blog">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="http://q1.qlogo.cn/g?b=qq&nk=153669225&s=100">
<meta property="article:author" content="Danyhug">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="http://q1.qlogo.cn/g?b=qq&nk=153669225&s=100"><link rel="shortcut icon" href="/blog/img/favicon.png"><link rel="canonical" href="http://danyhug.gitee.io/blog/page/3/"><link rel="preconnect" href="//cdn.jsdelivr.net"/><link rel="preconnect" href="//busuanzi.ibruce.info"/><link rel="stylesheet" href="/blog/css/index.css"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free/css/all.min.css" media="print" onload="this.media='all'"><script>var GLOBAL_CONFIG = { 
  root: '/blog/',
  algolia: undefined,
  localSearch: undefined,
  translate: undefined,
  noticeOutdate: undefined,
  highlight: {"plugin":"highlighjs","highlightCopy":true,"highlightLang":true},
  copy: {
    success: '复制成功',
    error: '复制错误',
    noSupport: '浏览器不支持'
  },
  relativeDate: {
    homepage: false,
    post: false
  },
  runtime: '天',
  date_suffix: {
    just: '刚刚',
    min: '分钟前',
    hour: '小时前',
    day: '天前',
    month: '个月前'
  },
  copyright: undefined,
  lightbox: 'fancybox',
  Snackbar: undefined,
  source: {
    jQuery: 'https://cdn.jsdelivr.net/npm/jquery@latest/dist/jquery.min.js',
    justifiedGallery: {
      js: 'https://cdn.jsdelivr.net/npm/justifiedGallery/dist/js/jquery.justifiedGallery.min.js',
      css: 'https://cdn.jsdelivr.net/npm/justifiedGallery/dist/css/justifiedGallery.min.css'
    },
    fancybox: {
      js: 'https://cdn.jsdelivr.net/npm/@fancyapps/fancybox@latest/dist/jquery.fancybox.min.js',
      css: 'https://cdn.jsdelivr.net/npm/@fancyapps/fancybox@latest/dist/jquery.fancybox.min.css'
    }
  },
  isPhotoFigcaption: false,
  islazyload: false,
  isanchor: false
};

var saveToLocal = {
  set: function setWithExpiry(key, value, ttl) {
    const now = new Date()
    const expiryDay = ttl * 86400000
    const item = {
      value: value,
      expiry: now.getTime() + expiryDay,
    }
    localStorage.setItem(key, JSON.stringify(item))
  },

  get: function getWithExpiry(key) {
    const itemStr = localStorage.getItem(key)

    if (!itemStr) {
      return undefined
    }
    const item = JSON.parse(itemStr)
    const now = new Date()

    if (now.getTime() > item.expiry) {
      localStorage.removeItem(key)
      return undefined
    }
    return item.value
  }
}

// https://stackoverflow.com/questions/16839698/jquery-getscript-alternative-in-native-javascript
const getScript = url => new Promise((resolve, reject) => {
  const script = document.createElement('script')
  script.src = url
  script.async = true
  script.onerror = reject
  script.onload = script.onreadystatechange = function() {
    const loadState = this.readyState
    if (loadState && loadState !== 'loaded' && loadState !== 'complete') return
    script.onload = script.onreadystatechange = null
    resolve()
  }
  document.head.appendChild(script)
})</script><script id="config_change">var GLOBAL_CONFIG_SITE = { 
  isPost: false,
  isHome: true,
  isHighlightShrink: false,
  isToc: false,
  postUpdate: '2021-06-19 16:51:06'
}</script><noscript><style type="text/css">
  #nav {
    opacity: 1
  }
  .justified-gallery img {
    opacity: 1
  }

  #recent-posts time,
  #post-meta time {
    display: inline !important
  }
</style></noscript><script>(function () {  window.activateDarkMode = function () {
    document.documentElement.setAttribute('data-theme', 'dark')
    if (document.querySelector('meta[name="theme-color"]') !== null) {
      document.querySelector('meta[name="theme-color"]').setAttribute('content', '#0d0d0d')
    }
  }
  window.activateLightMode = function () {
    document.documentElement.setAttribute('data-theme', 'light')
   if (document.querySelector('meta[name="theme-color"]') !== null) {
      document.querySelector('meta[name="theme-color"]').setAttribute('content', '#ffffff')
    }
  }
  const autoChangeMode = 'false'
  const t = saveToLocal.get('theme')
  if (autoChangeMode === '1') {
    const isDarkMode = window.matchMedia('(prefers-color-scheme: dark)').matches
    const isLightMode = window.matchMedia('(prefers-color-scheme: light)').matches
    const isNotSpecified = window.matchMedia('(prefers-color-scheme: no-preference)').matches
    const hasNoSupport = !isDarkMode && !isLightMode && !isNotSpecified
    if (t === undefined) {
      if (isLightMode) activateLightMode()
      else if (isDarkMode) activateDarkMode()
      else if (isNotSpecified || hasNoSupport) {
        const now = new Date()
        const hour = now.getHours()
        const isNight = hour <= 6 || hour >= 18
        isNight ? activateDarkMode() : activateLightMode()
      }
      window.matchMedia('(prefers-color-scheme: dark)').addListener(function (e) {
        if (saveToLocal.get('theme') === undefined) {
          e.matches ? activateDarkMode() : activateLightMode()
        }
      })
    } else if (t === 'light') activateLightMode()
    else activateDarkMode()
  } else if (autoChangeMode === '2') {
    const now = new Date()
    const hour = now.getHours()
    const isNight = hour <= 6 || hour >= 18
    if (t === undefined) isNight ? activateDarkMode() : activateLightMode()
    else if (t === 'light') activateLightMode()
    else activateDarkMode()
  } else {
    if (t === 'dark') activateDarkMode()
    else if (t === 'light') activateLightMode()
  }const asideStatus = saveToLocal.get('aside-status')
if (asideStatus !== undefined) {
   if (asideStatus === 'hide') {
     document.documentElement.classList.add('hide-aside')
   } else {
     document.documentElement.classList.remove('hide-aside')
   }
}const fontSizeVal = saveToLocal.get('global-font-size')
if (fontSizeVal !== undefined) {
  document.documentElement.style.setProperty('--global-font-size', fontSizeVal + 'px')
}})()</script><meta name="generator" content="Hexo 5.3.0"></head><body><div id="sidebar"><div id="menu-mask"></div><div id="sidebar-menus"><div class="author-avatar"><img class="avatar-img" src="http://q1.qlogo.cn/g?b=qq&amp;nk=153669225&amp;s=100" onerror="onerror=null;src='/img/friend_404.gif'" alt="avatar"/></div><div class="site-data"><div class="data-item is-center"><div class="data-item-link"><a href="/blog/archives/"><div class="headline">文章</div><div class="length-num">33</div></a></div></div><div class="data-item is-center"><div class="data-item-link"><a href="/blog/tags/"><div class="headline">标签</div><div class="length-num">18</div></a></div></div><div class="data-item is-center"><div class="data-item-link"><a href="/blog/categories/"><div class="headline">分类</div><div class="length-num">5</div></a></div></div></div><hr/><div class="menus_items"><div class="menus_item"><a class="site-page" href="/blog/"><i class="fa-fw fas fa-home"></i><span> 首页</span></a></div><div class="menus_item"><a class="site-page" href="/blog/archives/"><i class="fa-fw fas fa-archive"></i><span> 时间轴</span></a></div><div class="menus_item"><a class="site-page" href="/blog/tags/"><i class="fa-fw fas fa-tags"></i><span> 标签</span></a></div><div class="menus_item"><a class="site-page" href="/blog/link/"><i class="fa-fw fas fa-link"></i><span> 友链</span></a></div><div class="menus_item"><a class="site-page" href="/blog/about/"><i class="fa-fw fas fa-heart"></i><span> 关于</span></a></div></div></div></div><div id="body-wrap"><header class="full_page" id="page-header" style="background-image: url(/blog/img/bg.jpg)"><nav id="nav"><span id="blog_name"><a id="site-name" href="/blog/">Danyhug's Blog</a></span><div id="menus"><div class="menus_items"><div class="menus_item"><a class="site-page" href="/blog/"><i class="fa-fw fas fa-home"></i><span> 首页</span></a></div><div class="menus_item"><a class="site-page" href="/blog/archives/"><i class="fa-fw fas fa-archive"></i><span> 时间轴</span></a></div><div class="menus_item"><a class="site-page" href="/blog/tags/"><i class="fa-fw fas fa-tags"></i><span> 标签</span></a></div><div class="menus_item"><a class="site-page" href="/blog/link/"><i class="fa-fw fas fa-link"></i><span> 友链</span></a></div><div class="menus_item"><a class="site-page" href="/blog/about/"><i class="fa-fw fas fa-heart"></i><span> 关于</span></a></div></div><div id="toggle-menu"><a class="site-page"><i class="fas fa-bars fa-fw"></i></a></div></div></nav><div id="site-info"><h1 id="site-title">Danyhug's Blog</h1><div id="site-subtitle"><span id="subtitle"></span></div><div id="site_social_icons"><a class="social-icon" href="https://gitee.com/danyhug" target="_blank" title="Gitee"><i class="fab fa-github"></i></a><a class="social-icon" href="mailto:danyhug@qq.com" target="_blank" title="Email"><i class="fas fa-envelope"></i></a></div></div><div id="scroll-down"><i class="fas fa-angle-down scroll-down-effects"></i></div></header><main class="layout" id="content-inner"><div class="recent-posts" id="recent-posts"><div class="recent-post-item"><div class="post_cover left_radius"><a href="/blog/2021/01/04/%E7%AC%AC%E4%B9%9D%E5%91%A8-%E8%AF%95%E4%B8%8Bphpinfo%E5%90%A7/" title="第九周 | 试下phpinfo吧">     <img class="post_bg" src="/blog/img/postimg/21-1-4-week9.png" onerror="this.onerror=null;this.src='/blog/img/404.jpg'" alt="第九周 | 试下phpinfo吧"></a></div><div class="recent-post-info"><a class="article-title" href="/blog/2021/01/04/%E7%AC%AC%E4%B9%9D%E5%91%A8-%E8%AF%95%E4%B8%8Bphpinfo%E5%90%A7/" title="第九周 | 试下phpinfo吧">第九周 | 试下phpinfo吧</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2021-01-04T14:13:55.000Z" title="发表于 2021-01-04 22:13:55">2021-01-04</time></span><span class="article-meta"><span class="article-meta__separator">|</span><i class="fas fa-inbox article-meta__icon"></i><a class="article-meta__categories" href="/blog/categories/CTF/">CTF</a></span></div><div class="content">
flag就在题目里哟！不要因为第一眼看不到就放弃了！但是phpinfo在哪里呢？切换下路径试试？


根据给的提示信息，猜测flag可能在phpinfo中

打开页面，只有一个选择框，一个按钮，将中文改变为英文，发现地址栏的地址变成了?lang=en.php

将?lang=en.php改为?lang=phpinfo();尝试一下，没有回显

尝试一下路径穿越，将?lang=en.php改为?lang=../../../../etc/passwd，有回显

目录穿越（directory traversal）是HTTP开发的一种形式，黑客在一个Web服务器上使用这个软件除了可以访问服务器的根目录外还可以访问目录里面的数据。


猜目录?lang=../../../../phpinfo.php，无回显

猜目录?lang=../../../../etc/hosts，无回显

猜目录?lang=/etc/passwd，有回显

猜目录?lang=/phpinfo.php，无回显

猜目录?lang=../phpinfo.php，有回显，翻到页面底部

如果没有改变，默认路径应该是在/var ...</div></div></div><div class="recent-post-item"><div class="post_cover right_radius"><a href="/blog/2021/01/04/%E7%AC%AC%E5%85%AB%E5%91%A8-%E9%9A%8F%E6%84%8F%E7%9A%84%E4%B8%8A%E4%BC%A0/" title="第八周 | 随意的上传">     <img class="post_bg" src="/blog/img/postimg/21-1-4-week8.png" onerror="this.onerror=null;this.src='/blog/img/404.jpg'" alt="第八周 | 随意的上传"></a></div><div class="recent-post-info"><a class="article-title" href="/blog/2021/01/04/%E7%AC%AC%E5%85%AB%E5%91%A8-%E9%9A%8F%E6%84%8F%E7%9A%84%E4%B8%8A%E4%BC%A0/" title="第八周 | 随意的上传">第八周 | 随意的上传</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2021-01-04T12:50:31.000Z" title="发表于 2021-01-04 20:50:31">2021-01-04</time></span><span class="article-meta"><span class="article-meta__separator">|</span><i class="fas fa-inbox article-meta__icon"></i><a class="article-meta__categories" href="/blog/categories/CTF/">CTF</a></span></div><div class="content">
想传什么就传什么，无所谓！flag在/var/www/html/flag.php


下面有提示：随意到不提供工具？你打开C盘的tools看看呢~


打开C盘下的tools看一下，有sqlmap，中国菜刀，burpsuite

打开中国菜刀目录下的一句话.txt，将这段话复制到一个php文件中（使用GET方法涉及到URL转码问题）
1&lt;?php @eval($_POST[&#x27;chopper&#x27;]);?&gt;
上传此文件，单击”上传成功“，跳转到我们上传的文件，发现php代码没有被解析，将上面代码改为
1&lt;script language=&quot;php&quot;&gt;&lt;?php @eval($_POST[&#x27;g&#x27;]);?&gt;
上传后发现网页不显示内容，查看源发现代码还是没有被解析，但language的值php没了，推断可能是把php过滤了，将php改为pHp，再次提交，结果正常
1&lt;script language=&quot;pHp&quot;&gt;&lt;?php @eval($_POST[&#x27;g&# ...</div></div></div><div class="recent-post-item"><div class="post_cover left_radius"><a href="/blog/2021/01/04/%E7%AC%AC%E4%B8%83%E5%91%A8-%E5%86%8D%E8%A7%81%E4%B8%8A%E4%BC%A0/" title="第七周 | 再见上传">     <img class="post_bg" src="/blog/img/postimg/21-1-4-week7.png" onerror="this.onerror=null;this.src='/blog/img/404.jpg'" alt="第七周 | 再见上传"></a></div><div class="recent-post-info"><a class="article-title" href="/blog/2021/01/04/%E7%AC%AC%E4%B8%83%E5%91%A8-%E5%86%8D%E8%A7%81%E4%B8%8A%E4%BC%A0/" title="第七周 | 再见上传">第七周 | 再见上传</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2021-01-04T11:13:06.000Z" title="发表于 2021-01-04 19:13:06">2021-01-04</time></span><span class="article-meta"><span class="article-meta__separator">|</span><i class="fas fa-inbox article-meta__icon"></i><a class="article-meta__categories" href="/blog/categories/CTF/">CTF</a></span></div><div class="content">
挺简单的上传，多尝试几次吧


上传一个图片测试，上传页面显示了这几个内容

文件后缀 -&gt; png
文件类型 -&gt; image/png
文件大小 -&gt; 350kb
存储位置
提示上传php文件


打开burpsuite，设置代理，刷新上传页面抓包

将filename改为*.php，forward，页面提示：不被允许的文件类型,仅支持上传jpg,gif,png后缀的文件

将filename改为*.phtml，forward，页面提示：不被允许的文件类型,仅支持上传jpg,gif,png后缀的文件

尝试使用%00截断，将上方的/uploads/（即上传目录改为）/uploads/1.php%00，因为使用post提交，再将%00URL编码为  ，forward，恭喜获得女朋友一枚🤧

 %00 截断在 GET 中被 url 解码之后是空字符。但是在 POST 中 %00 不会被 url 解码，所以只能通过 burpsuite 修改 hex 值为 00 （URL decode）进行截断


flag{asdf_hetianlab_com} 


</div></div></div><div class="recent-post-item"><div class="post_cover right_radius"><a href="/blog/2021/01/03/%E7%AC%AC%E5%85%AD%E5%91%A8-%E5%A5%97%E5%A8%83%E4%B8%80%E6%A0%B7%E7%9A%84%E4%B8%8A%E4%BC%A0/" title="第六周 | 套娃一样的上传">     <img class="post_bg" src="/blog/img/postimg/21-1-3-week6.png" onerror="this.onerror=null;this.src='/blog/img/404.jpg'" alt="第六周 | 套娃一样的上传"></a></div><div class="recent-post-info"><a class="article-title" href="/blog/2021/01/03/%E7%AC%AC%E5%85%AD%E5%91%A8-%E5%A5%97%E5%A8%83%E4%B8%80%E6%A0%B7%E7%9A%84%E4%B8%8A%E4%BC%A0/" title="第六周 | 套娃一样的上传">第六周 | 套娃一样的上传</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2021-01-03T07:12:40.000Z" title="发表于 2021-01-03 15:12:40">2021-01-03</time></span><span class="article-meta"><span class="article-meta__separator">|</span><i class="fas fa-inbox article-meta__icon"></i><a class="article-meta__categories" href="/blog/categories/CTF/">CTF</a></span></div><div class="content">
你套过娃吗？这是真的套娃


上传图片看一下，提示：只要你不改变cookie你的上传文件名就不会改变，但是你传的这种文件执行不了并没有什么用所以我给你删掉了，需要的脚本文件才能黑掉我。黑人问号？？？
查看源，也是说只能上传png,bmp,gif这类的图片
查看一下cookie，cookie有个PHPSESSID，改变值才能改变上传的文件名
万事不决先抓包，打开burpsuite，设置浏览器代理，上传文件，将fliename的后缀改为php（php毕竟也是脚本语言），提示：恭喜你通过第一层防护！！听说第二层和文件mime有关，第二层也轻松通过。。。但是这个文件后缀在上传黑名单里 你需要绕过第三层防护
虽然不知道第二层咋过的，不过看第三层的意思，应该是得改后缀名，将后缀名改为phtml，第二层绕过（咋又绕过一次），同时提示：下一层与长度有关，听说你17张牌能秒我？17张牌？得得得得得得得得得得得得得得得
重新上传，将filename改成aaaaaaaaaaaaaaaaa.phtml（文件名长度为17），失败，还是上面的提示，判断可能是文件内容为17
桌面新建文本文件，输入aaaaaaaa ...</div></div></div><div class="recent-post-item"><div class="post_cover left_radius"><a href="/blog/2021/01/03/%E7%AC%AC%E4%BA%94%E5%91%A8-Easy-upload/" title="第五周 | Easy upload">     <img class="post_bg" src="/blog/img/postimg/21-1-3-week5.png" onerror="this.onerror=null;this.src='/blog/img/404.jpg'" alt="第五周 | Easy upload"></a></div><div class="recent-post-info"><a class="article-title" href="/blog/2021/01/03/%E7%AC%AC%E4%BA%94%E5%91%A8-Easy-upload/" title="第五周 | Easy upload">第五周 | Easy upload</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2021-01-03T06:49:56.000Z" title="发表于 2021-01-03 14:49:56">2021-01-03</time></span><span class="article-meta"><span class="article-meta__separator">|</span><i class="fas fa-inbox article-meta__icon"></i><a class="article-meta__categories" href="/blog/categories/CTF/">CTF</a></span></div><div class="content">
害！上传上到心态崩了呀！


将计算机-图片中的图片拖出，上传，提示需要上传一个give_me_flag.php才能给flag

查看源
1234567891011121314151617181920function checkFile()&#123;     var flag = false;     var str = document.getElementById(&quot;file&quot;).value;     str = str.substring(str.lastIndexOf(&#x27;.&#x27;) + 1);     var arr = new Array(&#x27;png&#x27;,&#x27;jpg&#x27;,&#x27;gif&#x27;);     for(var i=0;i&lt;arr.length;i++)     &#123;         if(str==arr[i])         &#123;            flag = true;         &#125;     &#125;     if(!flag)   ...</div></div></div><div class="recent-post-item"><div class="post_cover right_radius"><a href="/blog/2021/01/03/%E7%AC%AC%E5%9B%9B%E5%91%A8-Check-your-source-code/" title="第四周 | Check your source code">     <img class="post_bg" src="/blog/img/postimg/21-1-3-week4.png" onerror="this.onerror=null;this.src='/blog/img/404.jpg'" alt="第四周 | Check your source code"></a></div><div class="recent-post-info"><a class="article-title" href="/blog/2021/01/03/%E7%AC%AC%E5%9B%9B%E5%91%A8-Check-your-source-code/" title="第四周 | Check your source code">第四周 | Check your source code</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2021-01-03T06:04:05.000Z" title="发表于 2021-01-03 14:04:05">2021-01-03</time></span><span class="article-meta"><span class="article-meta__separator">|</span><i class="fas fa-inbox article-meta__icon"></i><a class="article-meta__categories" href="/blog/categories/CTF/">CTF</a></span></div><div class="content">
你会代码吗？不会就洗洗睡吧


没有robots.txt文件

没有cookie

查看源代码发现
1&lt;!-- /source.txt --&gt;
打开该文件
123456789101112131415161718192021222324252627  &lt;?php  $flag = &quot;XXXXXXXXXXXXXXXX&quot;;  $secret = &quot;xx&quot;;  if(!isset($_POST[&quot;username&quot;]) || !isset($_POST[&quot;password&quot;]))&#123;      exit();  &#125;  $username = $_POST[&quot;username&quot;];  $password = $_POST[&quot;password&quot;];  if (!empty($_COOKIE[&quot;check&quot;])) &#123;if (urldecode($username) === &quot;admin&quot; &am ...</div></div></div><div class="recent-post-item"><div class="post_cover left_radius"><a href="/blog/2021/01/03/%E7%AC%AC%E4%B8%89%E5%91%A8-%E8%BF%B7%E4%BA%86%E8%B7%AF/" title="第三周 | 迷了路">     <img class="post_bg" src="/blog/img/postimg/21-1-3-week3.png" onerror="this.onerror=null;this.src='/blog/img/404.jpg'" alt="第三周 | 迷了路"></a></div><div class="recent-post-info"><a class="article-title" href="/blog/2021/01/03/%E7%AC%AC%E4%B8%89%E5%91%A8-%E8%BF%B7%E4%BA%86%E8%B7%AF/" title="第三周 | 迷了路">第三周 | 迷了路</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2021-01-03T05:49:46.000Z" title="发表于 2021-01-03 13:49:46">2021-01-03</time></span><span class="article-meta"><span class="article-meta__separator">|</span><i class="fas fa-inbox article-meta__icon"></i><a class="article-meta__categories" href="/blog/categories/CTF/">CTF</a></span></div><div class="content">
学会八国语言，我带上你，你带上钱，我们出国走一走


发现没有robots.txt文件
没有cookie
最下面有flag{，不知道是啥意思
网页首页有一堆国家的国旗，再查看请求头，发现有Accept-Language，推断可能和这个有关
打开burpsuite，设置浏览器代理，刷新抓包
proxy-send to repeater，修改Accept-Language的值
以上所有国家的代码分别是en-US en-GB fr-FR de-DE ja-JP ko-KR es sv-SE
依次修改并send
flag{Thisis_hetianlab@}

</div></div></div><div class="recent-post-item"><div class="post_cover right_radius"><a href="/blog/2021/01/03/%E7%AC%AC%E4%BA%8C%E5%91%A8-%E5%B0%B1%E5%B7%AE%E4%B8%80%E6%8A%8A%E9%92%A5%E5%8C%99/" title="第二周 | 就差一把钥匙">     <img class="post_bg" src="/blog/img/postimg/21-1-3-week2.png" onerror="this.onerror=null;this.src='/blog/img/404.jpg'" alt="第二周 | 就差一把钥匙"></a></div><div class="recent-post-info"><a class="article-title" href="/blog/2021/01/03/%E7%AC%AC%E4%BA%8C%E5%91%A8-%E5%B0%B1%E5%B7%AE%E4%B8%80%E6%8A%8A%E9%92%A5%E5%8C%99/" title="第二周 | 就差一把钥匙">第二周 | 就差一把钥匙</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2021-01-03T05:27:04.000Z" title="发表于 2021-01-03 13:27:04">2021-01-03</time></span><span class="article-meta"><span class="article-meta__separator">|</span><i class="fas fa-inbox article-meta__icon"></i><a class="article-meta__categories" href="/blog/categories/CTF/">CTF</a></span></div><div class="content">
内网中有一串神奇的代码，你能想办法把它找出来吗？


查看robots.txt，有/console/目录，进入目录

提示IP不在授权范围内，尝试使用XFF

X-Forwarded-For

百度百科：X-Forwarded-For（XFF）是用来识别通过HTTP代理或负载均衡方式连接到Web服务器的客户端最原始的IP地址的HTTP请求头字段。

即请求端的IP地址


打开burpsuite，设置浏览器代理，刷新网页抓包

proxy-send to repeater，左侧添加X-Forwarded-For:127.0.0.1，点击send

flag{hetianlab-weekctf}


</div></div></div><div class="recent-post-item"><div class="post_cover left_radius"><a href="/blog/2021/01/03/%E7%AC%AC%E4%B8%80%E5%91%A8-%E7%A5%9E%E5%A5%87%E7%9A%84%E7%A3%81%E5%B8%A6/" title="第一周 | 神奇的磁带">     <img class="post_bg" src="/blog/img/postimg/21-1-3-week1.png" onerror="this.onerror=null;this.src='/blog/img/404.jpg'" alt="第一周 | 神奇的磁带"></a></div><div class="recent-post-info"><a class="article-title" href="/blog/2021/01/03/%E7%AC%AC%E4%B8%80%E5%91%A8-%E7%A5%9E%E5%A5%87%E7%9A%84%E7%A3%81%E5%B8%A6/" title="第一周 | 神奇的磁带">第一周 | 神奇的磁带</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2021-01-03T03:51:59.000Z" title="发表于 2021-01-03 11:51:59">2021-01-03</time></span><span class="article-meta"><span class="article-meta__separator">|</span><i class="fas fa-inbox article-meta__icon"></i><a class="article-meta__categories" href="/blog/categories/CTF/">CTF</a></span></div><div class="content">
Hi ctfer，磁带里有个flag，你能把它拿下吗？


首先火狐进入10.1.1.147:5001

发现没有robots.txt文件

查看源代码，发现有隐藏元素
1&lt;html&gt;&lt;h1 style=&#x27;font-size:0px;&#x27;&gt;./Flag.txt&lt;/h1&gt;&lt;/html&gt;

看一看像乱码。。。

再去看看cookie，cookie为cTEyMzQ1Njc4OTBwLi4=，猜测是base64加密，解密一下得到q1234567890p..，在输入框中输入一下，弹出一个消息框，给了一个谜语，谜底是磁带的英文，即tape，再输入一下

弹出消息框，并奖励flag ./Flag-Win.txt

让说出天王盖地虎的答拼音缩写，宝塔镇河妖，即btzhy

弹出消息框，又给了个文件Flag-K0r4dji.php

进入Flag-K0r4dji.php发现这是一个全新的页面，查看源，有注释：很简单的两位数，直接爆破

浏览器设置代理，打开burpsuite-proxy，输入框输一个数提交抓包

send to intr ...</div></div></div><div class="recent-post-item"><div class="post_cover right_radius"><a href="/blog/2020/12/30/%E6%99%BA%E6%85%A7%E8%81%8C%E6%95%99%E5%88%B7%E8%AF%BE%E9%A2%84%E5%A4%87%E5%B7%A5%E4%BD%9C/" title="智慧职教刷课预备工作">     <img class="post_bg" src="/blog/img/bgimg/1.jpg" onerror="this.onerror=null;this.src='/blog/img/404.jpg'" alt="智慧职教刷课预备工作"></a></div><div class="recent-post-info"><a class="article-title" href="/blog/2020/12/30/%E6%99%BA%E6%85%A7%E8%81%8C%E6%95%99%E5%88%B7%E8%AF%BE%E9%A2%84%E5%A4%87%E5%B7%A5%E4%BD%9C/" title="智慧职教刷课预备工作">智慧职教刷课预备工作</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2020-12-30T06:55:41.000Z" title="发表于 2020-12-30 14:55:41">2020-12-30</time></span><span class="article-meta"><span class="article-meta__separator">|</span><i class="fas fa-inbox article-meta__icon"></i><a class="article-meta__categories" href="/blog/categories/%E6%99%BA%E6%85%A7%E8%81%8C%E6%95%99/">智慧职教</a></span></div><div class="content">要求
获取答案：
输入验证码和需要的课后自动获取答案


答题：
根据目录下的答案文件自行答题



接口
登录接口
格式：[post] userName, password, verifycode 

https://mooc.icve.com.cn/portal/LoginMooc/loginSystem

登录验证码

https://mooc.icve.com.cn/portal/LoginMooc/getVerifyCode

获取用户信息

https://mooc.icve.com.cn/portal/LoginMooc/getUserInfo

获取课程列表

https://mooc.icve.com.cn/portal/Course/getMyCourse

获取正在进行的课程

https://mooc.icve.com.cn/portal/Course/getMyCourse?isFinished=0&amp;page=1&amp;pageSize=999

获取作业列表
格式：[post] pageSize=100&amp;page=1&amp;workExa ...</div></div></div><nav id="pagination"><div class="pagination"><a class="extend prev" rel="prev" href="/blog/page/2/"><i class="fas fa-chevron-left fa-fw"></i></a><a class="page-number" href="/blog/">1</a><a class="page-number" href="/blog/page/2/">2</a><span class="page-number current">3</span><a class="page-number" href="/blog/page/4/">4</a><a class="extend next" rel="next" href="/blog/page/4/"><i class="fas fa-chevron-right fa-fw"></i></a></div></nav></div><div class="aside_content" id="aside_content"><div class="card-widget card-info"><div class="card-content"><div class="card-info-avatar is-center"><img class="avatar-img" src="http://q1.qlogo.cn/g?b=qq&amp;nk=153669225&amp;s=100" onerror="this.onerror=null;this.src='/blog/img/friend_404.gif'" alt="avatar"/><div class="author-info__name">Danyhug</div><div class="author-info__description"></div></div><div class="card-info-data"><div class="card-info-data-item is-center"><a href="/blog/archives/"><div class="headline">文章</div><div class="length-num">33</div></a></div><div class="card-info-data-item is-center"><a href="/blog/tags/"><div class="headline">标签</div><div class="length-num">18</div></a></div><div class="card-info-data-item is-center"><a href="/blog/categories/"><div class="headline">分类</div><div class="length-num">5</div></a></div></div><a class="button--animated" id="card-info-btn" target="_blank" rel="noopener" href="https://gitee.com/danyhug"><i class="fab fa-github"></i><span>Follow Me</span></a><div class="card-info-social-icons is-center"><a class="social-icon" href="https://gitee.com/danyhug" target="_blank" title="Gitee"><i class="fab fa-github"></i></a><a class="social-icon" href="mailto:danyhug@qq.com" target="_blank" title="Email"><i class="fas fa-envelope"></i></a></div></div></div><div class="card-widget card-announcement"><div class="card-content"><div class="item-headline"><i class="fas fa-bullhorn card-announcement-animation"></i><span>公告</span></div><div class="announcement_content">This is my Blog</div></div></div><div class="sticky_layout"><div class="card-widget card-recent-post"><div class="card-content"><div class="item-headline"><i class="fas fa-history"></i><span>最新文章</span></div><div class="aside-list"><div class="aside-list-item"><a class="thumbnail" href="/blog/2021/05/09/jQuery%E7%9A%84%E4%B8%80%E4%BA%9B%E6%93%8D%E4%BD%9C/" title="jQuery的一些操作"><img src="/blog/img/bgimg/6.jpg" onerror="this.onerror=null;this.src='/blog/img/404.jpg'" alt="jQuery的一些操作"/></a><div class="content"><a class="title" href="/blog/2021/05/09/jQuery%E7%9A%84%E4%B8%80%E4%BA%9B%E6%93%8D%E4%BD%9C/" title="jQuery的一些操作">jQuery的一些操作</a><time datetime="2021-05-09T02:43:29.000Z" title="发表于 2021-05-09 10:43:29">2021-05-09</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/blog/2021/04/29/%E8%BD%AE%E6%92%AD%E5%9B%BE%E7%9A%84%E5%AE%9E%E7%8E%B0/" title="轮播图的实现"><img src="/blog/img/bgimg/1.jpg" onerror="this.onerror=null;this.src='/blog/img/404.jpg'" alt="轮播图的实现"/></a><div class="content"><a class="title" href="/blog/2021/04/29/%E8%BD%AE%E6%92%AD%E5%9B%BE%E7%9A%84%E5%AE%9E%E7%8E%B0/" title="轮播图的实现">轮播图的实现</a><time datetime="2021-04-29T08:10:46.000Z" title="发表于 2021-04-29 16:10:46">2021-04-29</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/blog/2021/04/23/MYSQL/" title="MYSQL"><img src="/blog/img/bgimg/9.jpg" onerror="this.onerror=null;this.src='/blog/img/404.jpg'" alt="MYSQL"/></a><div class="content"><a class="title" href="/blog/2021/04/23/MYSQL/" title="MYSQL">MYSQL</a><time datetime="2021-04-23T12:22:02.000Z" title="发表于 2021-04-23 20:22:02">2021-04-23</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/blog/2021/03/17/CSS%E6%8A%80%E5%B7%A7/" title="CSS技巧"><img src="/blog/img/bgimg/4.jpg" onerror="this.onerror=null;this.src='/blog/img/404.jpg'" alt="CSS技巧"/></a><div class="content"><a class="title" href="/blog/2021/03/17/CSS%E6%8A%80%E5%B7%A7/" title="CSS技巧">CSS技巧</a><time datetime="2021-03-17T04:25:15.000Z" title="发表于 2021-03-17 12:25:15">2021-03-17</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/blog/2021/02/24/%E6%B6%85%E6%99%AEMISC01-%E5%9B%BE%E7%89%87%E9%9A%90%E5%86%99/" title="涅普MISC01-图片隐写"><img src="/blog/img/bgimg/1.jpg" onerror="this.onerror=null;this.src='/blog/img/404.jpg'" alt="涅普MISC01-图片隐写"/></a><div class="content"><a class="title" href="/blog/2021/02/24/%E6%B6%85%E6%99%AEMISC01-%E5%9B%BE%E7%89%87%E9%9A%90%E5%86%99/" title="涅普MISC01-图片隐写">涅普MISC01-图片隐写</a><time datetime="2021-02-24T03:29:38.000Z" title="发表于 2021-02-24 11:29:38">2021-02-24</time></div></div></div></div></div><div class="card-widget card-categories"><div class="card-content"><div class="item-headline"><i class="fas fa-folder-open"></i><span>分类</span></div><ul class="card-category-list" id="aside-cat-list">
            <li class="card-category-list-item "><a class="card-category-list-link" href="/blog/categories/CTF/"><span class="card-category-list-name">CTF</span><span class="card-category-list-count">23</span></a></li><li class="card-category-list-item "><a class="card-category-list-link" href="/blog/categories/C%E8%AF%AD%E8%A8%80/"><span class="card-category-list-name">C语言</span><span class="card-category-list-count">1</span></a></li><li class="card-category-list-item "><a class="card-category-list-link" href="/blog/categories/WEB%E5%89%8D%E7%AB%AF/"><span class="card-category-list-name">WEB前端</span><span class="card-category-list-count">1</span></a></li><li class="card-category-list-item "><a class="card-category-list-link" href="/blog/categories/%E6%99%BA%E6%85%A7%E8%81%8C%E6%95%99/"><span class="card-category-list-name">智慧职教</span><span class="card-category-list-count">2</span></a></li><li class="card-category-list-item "><a class="card-category-list-link" href="/blog/categories/%E6%B1%87%E7%BC%96/"><span class="card-category-list-name">汇编</span><span class="card-category-list-count">1</span></a></li>
            
            </ul></div></div><div class="card-widget card-tags"><div class="card-content"><div class="item-headline"><i class="fas fa-tags"></i><span>标签</span></div><div class="card-tag-cloud"><a href="/blog/tags/C/" style="font-size: 1.1em; color: #999">C</a> <a href="/blog/tags/CSS/" style="font-size: 1.1em; color: #999">CSS</a> <a href="/blog/tags/CTF-Web/" style="font-size: 1.5em; color: #99a9bf">CTF-Web</a> <a href="/blog/tags/DH-Blog/" style="font-size: 1.1em; color: #999">DH-Blog</a> <a href="/blog/tags/GCC/" style="font-size: 1.1em; color: #999">GCC</a> <a href="/blog/tags/MISC/" style="font-size: 1.1em; color: #999">MISC</a> <a href="/blog/tags/Python/" style="font-size: 1.2em; color: #999da3">Python</a> <a href="/blog/tags/SQL%E6%B3%A8%E5%85%A5/" style="font-size: 1.2em; color: #999da3">SQL注入</a> <a href="/blog/tags/SSRF/" style="font-size: 1.2em; color: #999da3">SSRF</a> <a href="/blog/tags/XXE/" style="font-size: 1.2em; color: #999da3">XXE</a> <a href="/blog/tags/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/" style="font-size: 1.4em; color: #99a5b6">代码审计</a> <a href="/blog/tags/%E4%BF%A1%E6%81%AF%E5%AE%89%E5%85%A8/" style="font-size: 1.5em; color: #99a9bf">信息安全</a> <a href="/blog/tags/%E5%89%8D%E7%AB%AF/" style="font-size: 1.1em; color: #999">前端</a> <a href="/blog/tags/%E5%9B%BE%E7%89%87%E9%9A%90%E5%86%99/" style="font-size: 1.1em; color: #999">图片隐写</a> <a href="/blog/tags/%E5%A4%A7%E9%A5%BC/" style="font-size: 1.3em; color: #99a1ac">大饼</a> <a href="/blog/tags/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0/" style="font-size: 1.4em; color: #99a5b6">文件上传</a> <a href="/blog/tags/%E6%B1%87%E7%BC%96/" style="font-size: 1.1em; color: #999">汇编</a> <a href="/blog/tags/%E9%9A%8F%E7%AC%94/" style="font-size: 1.1em; color: #999">随笔</a></div></div></div><div class="card-widget card-archives"><div class="card-content"><div class="item-headline"><i class="fas fa-archive"></i><span>归档</span></div><ul class="card-archive-list"><li class="card-archive-list-item"><a class="card-archive-list-link" href="/blog/archives/2021/05/"><span class="card-archive-list-date">五月 2021</span><span class="card-archive-list-count">1</span></a></li><li class="card-archive-list-item"><a class="card-archive-list-link" href="/blog/archives/2021/04/"><span class="card-archive-list-date">四月 2021</span><span class="card-archive-list-count">2</span></a></li><li class="card-archive-list-item"><a class="card-archive-list-link" href="/blog/archives/2021/03/"><span class="card-archive-list-date">三月 2021</span><span class="card-archive-list-count">1</span></a></li><li class="card-archive-list-item"><a class="card-archive-list-link" href="/blog/archives/2021/02/"><span class="card-archive-list-date">二月 2021</span><span class="card-archive-list-count">1</span></a></li><li class="card-archive-list-item"><a class="card-archive-list-link" href="/blog/archives/2021/01/"><span class="card-archive-list-date">一月 2021</span><span class="card-archive-list-count">24</span></a></li><li class="card-archive-list-item"><a class="card-archive-list-link" href="/blog/archives/2020/12/"><span class="card-archive-list-date">十二月 2020</span><span class="card-archive-list-count">4</span></a></li></ul></div></div><div class="card-widget card-webinfo"><div class="card-content"><div class="item-headline"><i class="fas fa-chart-line"></i><span>网站资讯</span></div><div class="webinfo"><div class="webinfo-item"><div class="item-name">文章数目 :</div><div class="item-count">33</div></div><div class="webinfo-item"><div class="item-name">已运行时间 :</div><div class="item-count" id="runtimeshow" data-publishDate="2020-12-27T16:00:00.000Z"></div></div><div class="webinfo-item"><div class="item-name">本站访客数 :</div><div class="item-count" id="busuanzi_value_site_uv"></div></div><div class="webinfo-item"><div class="item-name">本站总访问量 :</div><div class="item-count" id="busuanzi_value_site_pv"></div></div><div class="webinfo-item"><div class="item-name">最后更新时间 :</div><div class="item-count" id="last-push-date" data-lastPushDate="2021-06-19T08:51:05.724Z"></div></div></div></div></div></div></div></main><footer id="footer"><div id="footer-wrap"><div class="copyright">&copy;2020 - 2021 By Danyhug</div><div class="framework-info"><span>框架 </span><a target="_blank" rel="noopener" href="https://hexo.io">Hexo</a><span class="footer-separator">|</span><span>主题 </span><a target="_blank" rel="noopener" href="https://github.com/jerryc127/hexo-theme-butterfly">Butterfly</a></div></div></footer></div><div id="rightside"><div id="rightside-config-hide"><button id="font-plus" type="button" title="放大字体"><i class="fas fa-plus"></i></button><button id="font-minus" type="button" title="缩小字体"><i class="fas fa-minus"></i></button><button id="darkmode" type="button" title="浅色和深色模式转换"><i class="fas fa-adjust"></i></button><button id="hide-aside-btn" type="button" title="单栏和双栏切换"><i class="fas fa-arrows-alt-h"></i></button></div><div id="rightside-config-show"><button id="rightside_config" type="button" title="设置"><i class="fas fa-cog fa-spin"></i></button><button id="go-up" type="button" title="回到顶部"><i class="fas fa-arrow-up"></i></button></div></div><div><script src="/blog/js/utils.js"></script><script src="/blog/js/main.js"></script><div class="js-pjax"><script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script></div><script defer id="ribbon" src="http://danyhug.gitee.io/blog/js/canvas-ribbon.min.js" size="150" alpha="0.6" zindex="-1" mobile="true" data-click="true"></script></div></body></html>